Shazzer logo
Login

Entities allowed between slashes on a protocol relative URL

⚠ Browser differences
Chrome logo 1
Firefox logo 1
Edge logo 1
Safari logo 4

You can place whitespace between slashes, this vector finds out what entities you can place in between them.

hackvertor
Created byhackvertor
Created Jul 6, 2024
Updated May 27, 2025

Tweet
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeJS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div')
Template used:
div.innerHTML='<a href="/$[data1]/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   log('$[data1]');0x0D
}

Sample payloads

div.innerHTML='<a href="/&bsol;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&bsol;');0x0D
}
div.innerHTML='<a href="/&NewLine;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&NewLine;');0x0D
}
div.innerHTML='<a href="/&sol;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&sol;');0x0D
}
div.innerHTML='<a href="/&Tab;/example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
   alert('&Tab;');0x0D
}

Fuzz results

Chrome logo
Chrome 144.0.0.0 desktop macOS 10.15.7
Updated31 Jan 2026
Found 1 result
Loading...
Chrome logo
Chrome 126.0.0.0 desktop macOS 10.15.7older version
Updated6 Jul 2024
Found 4 results
Loading...
Firefox logo
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 1 result
Loading...
Firefox logo
Firefox 127.0 desktop macOS 10.15older version
Updated6 Jul 2024
Found 4 results
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 1 result
Loading...
Safari logo
Safari 17.5 mobile iOS 17.5.1
Updated6 Jul 2024
Found 4 results
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.